Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Anyconnect

Hey All

Im currently in the process of labbing Anyconnect and I'm having trouble getting it to work with certificate authentication. Here is the ASA config:

ASA Version 8.4(2) 
!
hostname asa
domain-name company.local
!
access-list outside extended permit ip any any 
!
ip local pool Pool 12.12.12.1-12.12.12.200 mask 255.255.255.0
!
crypto ca trustpoint trust
 enrollment terminal
 fqdn asa.truphone.local
 subject-name cn=asa01.company.local
 keypair anyconnect
 crl configure
crypto ca certificate chain trust
 certificate 1ab0bbd700000000001f
    308204c4 308203ac a0030201 02020a1a b0bbd700 00000000 1f300d06 092a8648 
    86f70d01 01050500 30463115 3013060a 09922689 93f22c64 01191605 6c6f6361 
    6c311830 16060a09 92268993 f22c6401 19160874 72757068 6f6e6531 13301106 
    03550403 130a5472 7570686f 6e654341 301e170d 31343037 31343037 34333136 
    5a170d31 36303731 33303734 3331365a 30423121 301f0609 2a864886 f70d0109 
    02131261 73612e74 72757068 6f6e652e 6c6f6361 6c311d30 1b060355 04031314 
    61736130 312e7472 7570686f 6e652e6c 6f63616c 30819f30 0d06092a 864886f7 
    0d010101 05000381 8d003081 89028181 00d647a9 9cc7fa70 3f575b49 aff80ea0 
    1ebfd2f1 b426bd41 ae505856 3ecf84fd d626b091 b0402b9e 856ca62f aed65674 
    829f2f43 04092c4a c13e94e8 46b31929 48c2457e ac191c00 8048ed58 549a5508 
    bdb5e919 4c4dc488 a76c2984 b40cc7dd 74f9b278 ba32c0f5 d990ddd5 4409e461 
    962c1081 751b9511 83d63834 21292e3e 27020301 0001a382 023a3082 0236300e 
    0603551d 0f0101ff 04040302 05a0301d 0603551d 11041630 14821261 73612e74 
    72757068 6f6e652e 6c6f6361 6c301d06 03551d0e 04160414 6bea583d 0ce326dd 
    1f86ca67 d3d7cbbc ede2728b 301f0603 551d2304 18301680 1482fc70 7bfec9fc 
    cb8d35a4 3f44957b 257833a6 b03081ca 0603551d 1f0481c2 3081bf30 81bca081 
    b9a081b6 8681b36c 6461703a 2f2f2f43 4e3d5472 7570686f 6e654341 2c434e3d 
    73657276 65722c43 4e3d4344 502c434e 3d507562 6c696325 32304b65 79253230 
    53657276 69636573 2c434e3d 53657276 69636573 2c434e3d 436f6e66 69677572 
    6174696f 6e2c4443 3d747275 70686f6e 652c4443 3d6c6f63 616c3f63 65727469 
    66696361 74655265 766f6361 74696f6e 4c697374 3f626173 653f6f62 6a656374 
    436c6173 733d6352 4c446973 74726962 7574696f 6e506f69 6e743081 bf06082b 
    06010505 07010104 81b23081 af3081ac 06082b06 01050507 30028681 9f6c6461 
    703a2f2f 2f434e3d 54727570 686f6e65 43412c43 4e3d4149 412c434e 3d507562 
    6c696325 32304b65 79253230 53657276 69636573 2c434e3d 53657276 69636573 
    2c434e3d 436f6e66 69677572 6174696f 6e2c4443 3d747275 70686f6e 652c4443 
    3d6c6f63 616c3f63 41436572 74696669 63617465 3f626173 653f6f62 6a656374 
    436c6173 733d6365 72746966 69636174 696f6e41 7574686f 72697479 30210609 
    2b060104 01823714 0204141e 12005700 65006200 53006500 72007600 65007230 
    13060355 1d25040c 300a0608 2b060105 05070301 300d0609 2a864886 f70d0101 
    05050003 82010100 94acf3aa af453593 fd8851ba f2e042eb 92effb8b 953d9357 
    d28b52be 66f7acef 57eea102 ba35d655 f553f1fa 558ef63f 92d42143 e1cb63f1 
    6c1f8a09 dc81fa49 2607af1d 114195fa 321c3cd1 12eca2f3 be590136 7dd8bbac 
    1b4b4138 a83d4c26 fef31a2b d78c57ca 2d49fe4c 0803daf2 3d9cbbe2 ae28cd8a 
    4237f820 0ce99185 437d0ce2 35e931f2 540cd191 58d3d851 9efcb15b 8619e829 
    7100b85e 0e40c449 3f226c26 ee7414cb 4f5852a5 5cf5caf4 a1e3bd1b e09ba2d4 
    bd2e5639 bc7910de d7d0f3e2 745fd5d5 5d50c751 d647f254 8908889e 978bbae1 
    d36f202c dc336f7b a837ef1d 0760105b 37e4d9cc f015dc10 cc28e1fb c5ec75ca 
    796c4434 64461539
  quit
 certificate ca 2d9559a30af0b39a475088f947805eb2
    30820367 3082024f a0030201 0202102d 9559a30a f0b39a47 5088f947 805eb230 
    0d06092a 864886f7 0d010105 05003046 31153013 060a0992 268993f2 2c640119 
    16056c6f 63616c31 18301606 0a099226 8993f22c 64011916 08747275 70686f6e 
    65311330 11060355 0403130a 54727570 686f6e65 4341301e 170d3134 30373132 
    30343539 31385a17 0d313930 37313230 35303931 375a3046 31153013 060a0992 
    268993f2 2c640119 16056c6f 63616c31 18301606 0a099226 8993f22c 64011916 
    08747275 70686f6e 65311330 11060355 0403130a 54727570 686f6e65 43413082 
    0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100bf 
    ad52cc67 d2185cbe 5ea9703d c1bdfbc3 d94c808e 126b95bd 02898800 63317ddc 
    32c14d75 d8614ccf 2c369435 12299e74 8e4309bf 3a6f332c b4e2de34 91aef5e3 
    4ec9ccf6 102c8096 64abfca3 bb10d145 98d529e1 6e0b4c37 c509ff77 64d15897 
    eaff3028 355a6ad0 b3f7cec3 aafe561a 6e441ff5 3bca7a23 7f0484cf 25719995 
    fbbe32d0 40a9bd2d 8024c766 52b2e9f2 31cae49e 9f3c8229 2317ff18 3aca81f9 
    10b5c3cb 509048b0 822348d8 47e859e0 7d599f7e 8c32354c c1985a8b a5ca26f9 
    97bfc9d1 2777dca6 a757b7f7 9d8959c9 d8bcd7ff bb842fde b1905aa0 e38795cc 
    a092a8e8 e274315b 3c570169 a8810784 634ed7ca d8fa63a3 cf9fef6c 55fc8b02 
    03010001 a351304f 300b0603 551d0f04 04030201 86300f06 03551d13 0101ff04 
    05300301 01ff301d 0603551d 0e041604 1482fc70 7bfec9fc cb8d35a4 3f44957b 
    257833a6 b0301006 092b0601 04018237 15010403 02010030 0d06092a 864886f7 
    0d010105 05000382 01010074 1d3b8e5a 7262bce3 f698f287 4b60017d f103bace 
    e663c325 46f09486 b9d6e736 215f3272 c7deca29 a1ec2af3 1c32e578 4195271a 
    43bcb875 6a5b0802 c2863881 3f5365fc 3e6013c9 f00e1036 513f66fa 78d0ff67 
    41ba592b 8212ad9c 0ff8c454 314e76e5 5f44d852 c251158b d9191e48 8194ef77 
    e627b59b be747df0 c3f14b22 dd170245 cea24ad6 d03c7caa d058c56c 2742f37e 
    bbe260b6 bf73cbae acfa4935 69c3b7b2 88275b34 86708b28 9d831b0e ed68befb 
    1480bb3c 4a8eeffc 567ac6b2 3004edcc 7980fcaf 2a4cfb22 fdf7bc46 1253c0d3 
    1dcf7cdf 6acfc849 f4c9ec3a 0f4376d8 a5b6a563 f5f12c70 663a1f54 76129ed9 
    985215cf e3dc2f66 c91882

ssl trust-point trust
ssl trust-point trust outside
ssl certificate-authentication interface outside port 443
webvpn
 enable outside
 anyconnect image disk0:/anyconnectnew.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy anyconnect internal
!
group-policy anyconnect attributes
 vpn-tunnel-protocol ssl-client ssl-clientless
 address-pools value pool
 webvpn
  anyconnect keep-installer installed
  anyconnect ask enable default anyconnect
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
username cisco attributes
 group-lock value RA
tunnel-group RA type remote-access
tunnel-group RA general-attributes
 default-group-policy anyconnect
 authorization-required
 username-from-certificate CN
tunnel-group RA webvpn-attributes
 authentication certificate
 group-alias RA enable
!
!

I have the Root cert and an identity certificate. I also have the same on the PC I'm testing from. The ASA cert has the Server Authentication attribute and the PC has the Client Authentication attribute

 

When I attempt to connect the Anyconnect software says "no valid certificate available for authentication" and the ASA produces the following debug output:

 

asa# CERT_API: Authenticate session 0x07bd8839, non-blocking cb=0x08e84230
CERT API thread wakes up!
CERT_API: process msg cmd=0, session=0x07bd8839
CERT_API: Async locked for session 0x07bd8839

CRYPTO_PKI: Checking to see if an identical cert is
 already in the database...

CRYPTO_PKI: looking for cert in handle=0xbbbac844, digest=
7d ba 91 8e e5 b5 e6 33 05 80 77 86 c7 f4 f4 ad    |  }......3..w.....

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database. 

CRYPTO_PKI: Looking for suitable trustpoints...

CRYPTO_PKI: Storage context locked by thread CERT API

CRYPTO_PKI: Found a suitable authenticated trustpoint trust.

CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.7.3.2
CRYPTO_PKI:check_key_usage:Key Usage check OK

CRYPTO_PKI: Certificate validation: Successful, status: 0. Attempting to retrieve revocation status if necessary

CRYPTO_PKI:Certificate validated. serial number: 1BA13A9C000000000022, subject name:  cn=Lee Wray,o=Company.

CRYPTO_PKI: Storage context released by thread CERT API

CRYPTO_PKI: Certificate validated without revocation check
CERT_API: calling user callback=0x08e84230 with status=0
CERT_API: Close session 0x07bd8839 asynchronously
CERT_API: Async unlocked for session 0x07bd8839
CERT_API: process msg cmd=1, session=0x07bd8839
CERT_API: Async locked for session 0x07bd8839
CERT_API: Async unlocked for session 0x07bd8839
CERT API thread sleeps!

CRYPTO_PKI: Attempting to find tunnel group for cert with serial number: 1BA13A9C000000000022, subject name: cn=Lee Wray,o=Company, issuer_name: cn=CompanyCA,dc=Company,dc=local.
CRYPTO_PKI: No Tunnel Group Match for peer certificate.
CERT_API: Unable to find tunnel group for cert using rules (SSL)
Public archive directives retrieved from cache for index 1.
Public archive directives retrieved from cache for index 1.

 

I have configured a certificate map and the output reflects that a match has been found but the client still gives the same error and the ASA debug gets no further than above.

 

What am I doing wrong here?

Everyone's tags (1)
2 REPLIES

Hi, Can you enable the URL in

Hi,

 

Can you enable the URL in Tunnel group configurations.

tunnel-group RA webvpn-attributes

group-url https://<URL / IP Address> enable

 

Also does the end user machine from u r trying to do anyconnect has any administrative restrictions???

 

Regards

Karthik

 

New Member

Hey Karthik The first command

Hey Karthik

 

The first command made not difference I'm afraid.

The user account im using is the Admin account so there is no restrictions. 

 

This appears to be an issue with the certificate to me on the client. Ive tried from an XP and Win7 client and I get the same thing. I have got no idea what to try next

 

Lee

 

 

 

 

584
Views
0
Helpful
2
Replies